ommended language to demonstrate how the features and functional char- acteristics of your product meet the Revised 508 Standards.”
Currently, the IT Industry Council provides the VPAT as a “Microsoft Word file that can be used as is or reproduced in other formats.”
As identified above, documenting compliance in a proprietary, non- machine-readable format such as Word makes an already cumbersome process even more so. For product developers, it essentially relegates the VPAT to a requisite checklist annoyance that sig- nificantly impedes modernization and innovation.
To make the VPAT more desirable and easily integrated into the compli- ance process, the solution is to shift to a non-proprietary, machine-readable format. The YAML-based Jekyll VPAT created by Ben Balter, senior technical program manager at GitHub, is a great example of this.
Such a machine-readable format can then be easily incorporated into the compliance-as-code process and repurposed by others. By taking that approach, we eliminate an emphasis on format and instead focus solely on the data needed to process the VPAT. Digital product developers and com- pliance and accessibility profession-
als will save unimaginable amounts of time, money and energy.
Compliance doesn’t equal
accessibility (and vice versa)
Although compliance is a noble requirement — and an unavoidable reality for federal agencies and their industry partners — we must remem- ber that it isn’t a substitute for true security or accessibility.
As the IT Industry Council says: “While a VPAT can be an essential
aid in assessing the availability of ICT products with accessibility fea- tures, it is important to note that, even in cases where a product conforms to relevant standards and technical specifications, an end user may still encounter difficulties utilizing it due to the nature or severity of his or her disability. On the other hand, a prod- uct that may not fully conform to all technical requirements may still be perfectly accessible to an end user who has a disability but does not need a particular accessibility feature — e.g., a large-button telephone hand- set for an individual with a hearing disability.”
Baking VPAT into the code-as-com- pliance process isn’t a panacea. But it is a humble beginning to prioritiz- ing accessibility and making a cum- bersome process less so. By shifting the mindset and approach to one of open principles, machine-readable accessibility can become equally important to security in the compli- ance process.
By doing this, we move closer to the goal of truly protecting and serv- ing everyone. n
Luke Fretwell is co-founder and CEO of ProudCity, a digital government platform.
Related reading: Compliance as code for faster ATOs
Automating authority-to-operate processes could replace paperwork- intensive system security plans with reciprocal systems that conduct security checks through continuous code monitoring. Mary Lazzeri, a former technology adviser at the U.S. Digital Service, argues on FCW.com for “the creation of a Federal Compliance Library of vetted presets, templates and baselines
for various known IT systems and technology stacks” as an important step toward that goal. FCW.com/ATO_ASAP
January/February 2021 FCW.COM 51